Navigation Menu

Friday, 19 December 2014

whenChanged vs usnChanged - Active Directory

Description:

In this article, I am going to explain about the Active Directory attributes whenChanged and usnChanged. Both attributes hold the information of AD object's latest change point in different format. Both attributes are very useful to track Active Directory object changes.

Summary:

WhenChanged is a date time attribute which holds an AD object's latest changed time and it is Non-Replicable attribute.

uSNChanged is a integer attribute and it will be updated when the object is changed.

Both are Non-Replicable attributes but that doesn't mean every domain controller holds very different value like lastLogon attrbute. Yes, both are non-replicable attributes but it will be updated in all DCs for every AD change.

How whenChanged attribute value get updated in all DCs?

Before explain this, I would like to explain what is Active Directory Replication?. In Active Directory, objects are distributed among all domain controllers in a forest, and all domain controllers can be updated directly. Active Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data.

So, AD replication ensures same data in all DCs by transferring every change automatically to other DC,

Consider this scenario:

If you change the value for description attribute of any object as "test", it will be updated in all other DC but here you have not changed either whenChanged or uSNChanged then how it gets updated in your own DC?.
You know whenChanged is system attribute and it will be automatically updated for every change. So the description attribute change indirectly force the whenChanged attribute to set latest time. Like this, the replication change on every DC will automatically force the whenChanged attribute to set the particular DC's latest time. So, the value of whenChanged attribute may or may not be identical in all DCs depends upon the replication interval.

For more clarity, consider this scenario:

DC1- AD Domain Controller 1DC2- AD Domain Controller 2U1- an AD user

Replication Interval: 15 secs

If you change the user U1's description value in DC1 at 10:10:00 AM, the whenChanged attribute gets updated as 10:10:00 AM in DC1. Since the replication interval is 15 secs, the description value will be replicated into DC2 at 10:10:15 AM and it automatically updates the whenChanged attribute as 10:10:15 AM in DC2. So depends upon the replication interval the value of whenChanged attribute may or may not be identical in all domain controllers but it holds the updated value.

How usnChanged attribute value get updated?

When a domain controller modifies an object, it increments the highestCommittedUSN attribute value. When the increment occurs, the domain controller also sets the uSNChanged attribute for that object to the new value. In this process, each change to an object in Active Directory is stamped with a unique and monotonic value. Therefore, a program can obtain the most recent changes to an object on a domain controller by finding the object that has the largest uSNChanged attribute value. Similarly, the second largest uSNChanged attribute value corresponds to the second most recently changed object, and this process is repeated.

If you change the user U1's description value through DC1. First, DC1 will increment its highestCommittedUSN attribute value into 10001 and update this value into user U1's uSNChanged attribute. So, now U1's uSNChanged value becomes 10001. Now, if you change U2's description value through DC1, now DC1 will increment its highestCommittedUSN attribute value into 10002 and update this value into user U2's uSNChanged attribute. So, now U2's uSNChanged value will be changed from 4000 to 10002. In this way, the Domain Controller always keeps the latest change object record. This mechanism will be very useful to track Active Director changes using Polling method.